b'                  The Disaster Recovery Program Has\n               Improved, but It Should Be Reported As a\n              Material Weakness Due to Limited Resources\n                        and Control Weaknesses\n\n                                    March 2005\n\n                       Reference Number: 2005-20-024\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                  WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                     March 1, 2005\n\n\n      MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                     CHIEF, MISSION ASSURANCE\n\n\n\n      FROM:                        Pamela J. Gardiner\n                                   Deputy Inspector General for Audit\n\n      SUBJECT:                     Final Audit Report - The Disaster Recovery Program Has\n                                   Improved, but It Should Be Reported As a Material Weakness\n                                   Due to Limited Resources and Control Weaknesses\n                                   (Audit # 200420031)\n\n\n      This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n      disaster recovery program. The objective of this review was to provide an overall\n      assessment of the IRS\xe2\x80\x99 disaster recovery program.\n      In summary, the IRS Commissioner stated, in the IRS Strategic Plan 2005 \xe2\x80\x93 2009,1\n      \xe2\x80\x9c. . . providing excellent service to taxpayers and enforcing America\xe2\x80\x99s tax laws in a\n      balanced manner . . . are equally important priorities.\xe2\x80\x9d The means and strategies to\n      accomplish the Strategic Plan goals include \xe2\x80\x9cDevelop, exercise and maintain continuity\n      of operations plans, contingency plans and other measures to protect critical\n      infrastructure.\xe2\x80\x9d During Fiscal Years (FY) 2002 through 2004, IRS management initiated\n      and/or completed several actions that demonstrated the increased emphasis on\n      emergency management and preparedness, including disaster recovery planning. For\n      example, Modernization and Information Technology Services (MITS) organization\n      management implemented an inhouse Master File2 disaster recovery capability and\n      completed corrective actions on prior audit recommendations. Mission Assurance (MA)\n      organization management began coordinating the Business Resumption Strategy and\n      Disaster Recovery Strategy development efforts and established the Emergency\n\n\n\n      1\n       Publication 3744, revised June 2004.\n      2\n       The IRS database that stores various types of taxpayer account information. The Individual, Business, and\n      Employee Plans Master Files were identified as critical business systems.\n\x0c                                                        2\n\nManagement and Preparedness Working Group to help coordinate and facilitate the\ndevelopment of all IRS emergency preparedness activities.\nHowever, significant disaster recovery program weaknesses continue to be unresolved.\nOur analysis of 11 prior Treasury Inspector General for Tax Administration (TIGTA)\naudit reports identified recurring disaster recovery program weaknesses, including\nmodernization systems being placed in production without a disaster recovery\ncapability, insufficient disaster recovery capacity, roles and responsibilities not being\nassigned and employees not being trained, and annual tests not being conducted or not\nbeing effective (see Appendix IV for a list of the 11 reports). We also determined 27 of\n44 corrective actions for prior recommendations had not been completed.\nShrinking budgets have limited management\xe2\x80\x99s efforts to correct disaster recovery\nproblems. The IRS Information Systems and Business Systems Modernization (BSM)\nbudgets have decreased from 7,466 Full-Time Equivalents (FTE)3 and $1.971 billion in\nFY 2003 to 7,385 FTEs (1.1 percent reduction) and $1.958 billion (0.7 percent\nreduction, including a 24.4 percent reduction in the BSM budget) in FY 2005.\nSince October 2001, MITS organization management has worked to provide resources\nto improve disaster recovery capabilities, with limited results. After the terrorist attacks\non September 11, 2001, the Congress approved $13.5 million for the Master File\ndisaster recovery capability. However, requests for $74.1 million to fund disaster\nrecovery needs were turned down. For FY 2005, Enterprise Operations office\nmanagement requested $16.7 million for Enterprise Computing Center4 mainframe\ncomputer improvements that would ensure disaster recovery capabilities. However,\nbudget cuts have prevented management from reallocating funds to these items.\nThe Modernization Disaster Recovery Project has not developed and implemented a\nmidrange computer system disaster recovery infrastructure although the Modernized\ne-File system5 is in production and additional midrange computer systems, such as the\nIntegrated Financial System6 and Custodial Accounting Project,7 are scheduled to enter\nproduction in FY 2005.\nFinally, MITS organization management advised us personnel trained and responsible\nfor disaster recovery support duties were reassigned to the MA organization in the\nOctober 2003 MA organization realignment, but the MITS organization is still\nresponsible for the duties. Senior MITS and MA organization managers are working on\n\n\n\n3\n  A measure of labor hours in which 1 FTE is equal to 8 hours multiplied by the number of compensable days in a\nparticular fiscal year. For FY 2004, 1 FTE was equal to 2,096 staff hours. For FY 2005, 1 FTE is equal to\n2,088 hours.\n4\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n5\n  Develops the modernized web-based platform for filing IRS forms electronically.\n6\n  Provides the IRS better financial budgeting, planning, tracking, reporting, and management.\n7\n  Uses a data warehousing approach to provide the IRS detailed taxpayer account information to be used for analysis\nand financial reporting.\n\x0c                                                      3\n\nthis issue but, as of August 2004, had not resolved how best to transfer the personnel\nresources or work.\nIn addition, insufficient management oversight has hampered the identification and\nresolution of program weaknesses. MA organization management advised us the\nFederal Information Security Management Act (FISMA)8 requirements are the focus of\ntheir security program oversight efforts. However, the TIGTA\xe2\x80\x99s FY 2004 FISMA report\nto the Department of the Treasury9 stated the IRS Plans of Action and Milestones\n(POA&M) do not contain details sufficient to permit oversight and tracking of security\nweaknesses. As a result, the current POA&M system weaknesses could not be\nanalyzed for recurring issues that might indicate systemic problems that should be\nelevated to the program weakness level. Insufficient resources and management\noversight increase the risk that the critical systems supporting the IRS Commissioner\xe2\x80\x99s\nservice and enforcement priorities cannot be timely recovered if a disaster occurs.\nTo ensure service and enforcement priorities can be met, we recommended the Chief\nInformation Officer (CIO) report a disaster recovery program material weakness to the\nDepartment of the Treasury and include new and currently underway improvement\nactivities in the corrective action plan. The CIO should also work with the Chief, MA, to\nimplement FISMA POA&M procedures to analyze system weaknesses for systemic\nproblems and elevate them as program-level weaknesses.\nManagement\xe2\x80\x99s Response: IRS management agreed with our recommendations and will\ndeclare the disaster recovery program a material weakness. IRS management\nresponded the IRS could recover all vital data for the most mission critical information\ntechnology systems, including the Master File and the Customer Account Data Engine\n(CADE).10 They are committed to increasing disaster recovery capabilities based on\navailable funding and an evaluation of cost and risk factors. The MA organization is\nresponsible for coordinating the development of an IRS-wide business resumption\nstrategy. The MITS organization has identified its current disaster recovery and\nbusiness resumption strategies, including both data recovery point and recovery time\nobjectives, for all major systems. The crucial business processes were identified and\nprioritized and will be mapped to the specific computing system major applications and\ngeneral supporting systems, and a gap analysis will be conducted to identify inadequate\ndisaster recovery capabilities. IRS management will also coordinate with the\nDepartment of the Treasury and the Office of Management and Budget to request the\nnecessary funding. In addition, IRS senior leadership established an executive working\ngroup to implement FISMA POA&M procedures. Management\xe2\x80\x99s complete response to\nthe draft report is included as Appendix V.\n\n\n\n8\n  E-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301, 2002.\n9\n  Treasury Inspector General for Tax Administration Federal Information Security Management Act Report Fiscal\nYear 2004, dated September 10, 2004.\n10\n   The CADE is the foundation for managing taxpayer accounts in the IRS modernization plan. The CADE will\nconsist of databases and related applications to replace the IRS\xe2\x80\x99 existing Master File processing systems.\n\x0c                                           4\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c        The Disaster Recovery Program Has Improved, but It Should Be Reported As\n          a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nManagement Increased Emphasis on Emergency Management\nand Preparedness, Including Disaster Recovery Planning........................ Page 2\nSignificant Disaster Recovery Program Weaknesses Continue\nto Be Unresolved....................................................................................... Page 4\n         Recommendation 1: .......................................................................Page 11\n         Recommendation 2: .......................................................................Page 12\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 13\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 15\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 16\nAppendix IV \xe2\x80\x93 Previously Issued Audit Reports Reviewed........................ Page 17\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 18\n\x0c      The Disaster Recovery Program Has Improved, but It Should Be Reported As\n        a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                The Internal Revenue Service (IRS) Commissioner stated,\nBackground\n                                in the IRS Strategic Plan 2005 \xe2\x80\x93 2009,1 \xe2\x80\x9c. . . providing\n                                excellent service to taxpayers and enforcing America\xe2\x80\x99s tax\n                                laws in a balanced manner . . . are equally important\n                                priorities.\xe2\x80\x9d The Strategic Plan includes the goal \xe2\x80\x9cModernize\n                                the IRS through its People, Processes and Technology\xe2\x80\x9d and\n                                the objective \xe2\x80\x9cEnsure the Safety and Security of People,\n                                Facilities and Information Systems.\xe2\x80\x9d The means and\n                                strategies to accomplish this objective include \xe2\x80\x9cDevelop,\n                                exercise and maintain continuity of operations plans,\n                                contingency plans and other measures to protect critical\n                                infrastructure.\xe2\x80\x9d The Strategic Plan states the IRS will\n                                implement disaster recovery capabilities for the Computing\n                                Centers,2 plans for critical infrastructure assets, and business\n                                continuity plans for all mission critical and business\n                                essential processes, facilities, and assets.\n                                Disaster recovery is an organization\xe2\x80\x99s ability to respond to\n                                an interruption in services by implementing a plan to restore\n                                critical business functions. Disaster recovery is a subset of\n                                interrelated business continuity disciplines including\n                                business resumption, occupant emergency planning, and\n                                incident management. A disaster recovery plan defines the\n                                resources, actions, tasks, and data required to restore\n                                information systems in the event of a business interruption.\n                                The plan is designed to assist in restoring the business\n                                process within the stated disaster recovery goals, thereby\n                                minimizing the effects of a major disruption.\n                                The Modernization and Information Technology Services\n                                (MITS) and Mission Assurance (MA) organizations have\n                                disaster recovery responsibilities. The MITS organization is\n                                responsible for developing and maintaining disaster\n                                recovery plans to support information system contingency\n                                and recovery operations. The MA organization is\n                                responsible for establishing policies and procedures,\n                                providing guidance, and overseeing the implementation of\n                                the policies and procedures.\n\n\n\n                                1\n                                  Publication 3744, revised June 2004.\n                                2\n                                  IRS Computing Centers support tax processing and information\n                                management through a data processing and telecommunications\n                                infrastructure.\n                                                                                             Page 1\n\x0c         The Disaster Recovery Program Has Improved, but It Should Be Reported As\n           a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                   During Fiscal Years (FY) 2002 through 2004, we reviewed\n                                   several IRS disaster recovery strategies and other disaster\n                                   recovery related topics. Appendix IV lists the 11 prior audit\n                                   reports reviewed for this review\xe2\x80\x99s overall assessment.\n                                   This review was performed in the offices of the Chief\n                                   Information Officer (CIO) and Chief, MA, at the IRS\n                                   National Headquarters in New Carrollton, Maryland, during\n                                   the period June through November 2004. The audit was\n                                   conducted in accordance with Government Auditing\n                                   Standards. Detailed information on our audit objective,\n                                   scope, and methodology is presented in Appendix I. Major\n                                   contributors to the report are listed in Appendix II.\n                                   Office of Management and Budget (OMB) Circular\nManagement Increased Emphasis\n                                   A-130, Management of Federal Information Resources,\non Emergency Management and\n                                   requires Federal Government agencies to provide for\nPreparedness, Including Disaster\n                                   continuity of support and contingency planning for their\nRecovery Planning\n                                   general support systems and major applications. The\n                                   Internal Revenue Manual (IRM) states senior management\n                                   responsibilities, shared among business units, require\n                                   coordination, such as allocation of resources and training to\n                                   implement business continuity plans, acquisition of alternate\n                                   workspace, and development of priorities for restoring\n                                   work. In particular, the Associate CIO, Information\n                                   Technology Services, is responsible for ensuring\n                                   information system resources are adequately protected and\n                                   consistent with security policies, standards, and procedures\n                                   and for ensuring contingency planning capabilities\n                                   (e.g., disaster recovery). The Chief, MA, is responsible for\n                                   ensuring all applicable security policies, procedures, and\n                                   control techniques are implemented for systems and\n                                   processing facilities; evaluating and overseeing all major\n                                   information security programs; and managing core security\n                                   operations, including existing disaster recovery capabilities.\n                                   During FYs 2002 through 2004, IRS management initiated\n                                   and/or completed several actions that demonstrated the\n                                   increased emphasis on emergency management and\n                                   preparedness. For example:\n                                      \xe2\x80\xa2   The MITS organization received $13.5 million for\n                                          antiterrorist spending in January 2002 and\n\n\n                                                                                          Page 2\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                   implemented an inhouse Master File3 disaster\n                                   recovery capability to address the disaster recovery\n                                   material weakness.\n                              \xe2\x80\xa2    In December 2003, the MA organization began\n                                   coordinating the Business Resumption Strategy\n                                   (BRS) and Disaster Recovery Strategy (DRS)\n                                   development efforts with the MITS organization and\n                                   other business units. Each organization is\n                                   identifying its BRS and validating the critical\n                                   business processes,4 recovery time objectives,5 and\n                                   recovery point objectives.6 This information will be\n                                   used to set the DRS requirements and priorities for\n                                   the MITS organization disaster recovery plans.\n                              \xe2\x80\xa2    The Chief, MA, issued a memorandum, dated\n                                   July 2, 2004, to business operating division\n                                   commissioners and support organization chiefs\n                                   citing the Commissioner\xe2\x80\x99s priority to enhance the\n                                   IRS\xe2\x80\x99 security posture and related emergency\n                                   management and preparedness capabilities.\n                              \xe2\x80\xa2    In July 2004, the Emergency Management and\n                                   Preparedness Working Group was established to\n                                   help coordinate and facilitate all IRS emergency\n                                   preparedness activities, including information\n                                   systems contingency and disaster recovery planning.\n                              \xe2\x80\xa2    Corrective actions for Treasury Inspector General\n                                   for Tax Administration (TIGTA) audit\n                                   recommendations are being completed. Examples of\n                                   corrective actions completed in FYs 2003 and 2004\n                                   include:\n\n\n                          3\n                            The IRS database that stores various types of taxpayer account\n                          information. The Individual, Business, and Employee Plans Master\n                          Files were identified as critical business systems.\n                          4\n                            Mission critical business processes include processing remittances, tax\n                          returns, and tax refunds; administrative and infrastructure critical\n                          processes include providing a safe and equipped working environment\n                          and processing payroll.\n                          5\n                            The time needed to recover from a disaster; how long the IRS could\n                          afford to be without its information systems.\n                          6\n                            Describes the age of the data to be restored in the event of a disaster;\n                          the amount of data the IRS could afford to lose.\n                                                                                            Page 3\n\x0c        The Disaster Recovery Program Has Improved, but It Should Be Reported As\n          a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                          o MA organization management coordinated with\n                                            the various IRS organizations managing the\n                                            business continuity and disaster recovery\n                                            planning area to define the roles, responsibilities,\n                                            and expectations for each area (see Appendix IV,\n                                            Audit Report number 1).\n                                          o MITS organization management assigned the\n                                            responsibilities for preparing and testing\n                                            Computing Center disaster recovery plan\n                                            sections to appropriate personnel (see\n                                            Appendix IV, Audit Report numbers 3, 8, and 9).\n                                          o Detroit Computing Center management\n                                            corrected midrange computer disaster recovery\n                                            data and documentation backup and offsite\n                                            storage problems (see Appendix IV, Audit\n                                            Report number 3).\n                                          o MITS organization personnel conducted annual\n                                            Computing Center mainframe computer system\n                                            disaster recovery plan tests in 2004, including\n                                            integrated testing of selected interdependent\n                                            mainframe computer disaster recovery plans (see\n                                            Appendix IV, Audit Report numbers 6 and 9).\n                                  While senior management has committed the IRS to\n                                  emergency management and preparedness, additional\n                                  resources and improved management oversight are needed\n                                  to ensure the information systems that support the IRS\n                                  Commissioner\xe2\x80\x99s service and enforcement priorities can be\n                                  recovered timely if a disaster occurs.\n                                  The Federal Information Security Management Act\nSignificant Disaster Recovery\n                                  (FISMA)7 requires each Federal Government agency to\nProgram Weaknesses Continue to\n                                  develop, document, and implement an agency-wide\nBe Unresolved\n                                  information security program that includes plans and\n                                  procedures to ensure continuity of operation for information\n                                  systems that support agency operations and assets.\n                                  Department of the Treasury Publication 85-01\n                                  (TD P 85-01), Treasury Information Technology Security\n                                  Program, states bureaus shall develop and maintain detailed\n\n\n                                  7\n                                   E-Government Act of 2002, Pub. L. No. 107-347, Title III,\n                                  Section 301, 2002.\n                                                                                               Page 4\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          disaster recovery plans and the associated recovery\n                          capability in the event normal operations are disrupted. The\n                          IRM requires IRS management to allocate the resources\n                          required to support the recovery of critical processes and\n                          applications, including computer hardware and software.\n                          In addition, the Federal Managers\xe2\x80\x99 Financial Integrity Act of\n                          1982 (FMFIA)8 requires each Federal Government agency\n                          to conduct annual evaluations of its systems of internal\n                          accounting and administrative control. Each agency is also\n                          required to prepare an annual report for the Congress and\n                          the President that identifies material weaknesses and the\n                          agency\xe2\x80\x99s corrective action plans and schedules.\n                          Analysis of prior TIGTA audit reports identified\n                          recurring disaster recovery program weaknesses\n                          We analyzed 11 prior audit reports to identify recurring\n                          disaster recovery program weaknesses and concluded IRS\n                          management has not effectively addressed the program\n                          weaknesses. Details about the audit reports analysis are\n                          included in Table 1 (see Appendix IV for a list of the\n                          11 audit reports).\n\n\n\n\n                          8\n                              31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000).\n                                                                                Page 5\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                Table 1: Reported Disaster Recovery Program Weaknesses\n                                    Reported Issues\n\n\n\n\n                                                                                                                                                                                                                               Annual disaster recovery tests not\n                                                                                       sufficient or cost effectiveness not\n\n\n\n\n                                                                                                                                                             responsibilities not assigned and\n                                                                                       Disaster recovery capability not\n                                                      placed in production without a\n                                                      Modernization systems being\n\n\n\n\n                                                                                                                              Data not protected or easily\n                                                      disaster recovery capability\n\n\n\n\n                                                                                                                                                             Disaster recovery roles and\n\n\n\n                                                                                                                                                                                                 Disaster recovery plans not\n\n\n\n                                                                                                                                                                                                                               conducted or not effective\n                                                                                                                                                                                                 complete and accurate\n                                                                                                                                                             employees not trained\n                                                                                                                              retrievable\n                                                                                       assured\n                         Audit Reports\n                         (Appendix IV lists\n                         the audit report titles)\n                         1.  The Business\n                             Continuity Program                                                                                                                         X\n                         2. Protecting Critical\n                             Assets                                                                                                 X                                   X\n                         3. The Consolidated\n                             Midrange Computer                                                     X                                X                                   X                              X                               X\n                             Systems\n                         4. Software Products\n                             to Manage and\n                             Control Computer                                                                                                                           X                                                              X\n                             Resources\n                         5. The Integrated\n                             Financial System                   X\n                         6. The Master File                                                                                         X                                   X                              X                               X\n                         7. The Custodial\n                             Accounting Project                 X\n                         8. Data\n                             Communications                                                        X                                                                    X                              X                               X\n                         9. The Mainframe\n                             Computer Systems                                                      X                                X                                   X                              X                               X\n                         10. The Integrated\n                             Financial System                                                                                                                                                                                          X\n                         11. The Customer\n                             Account Data                       X\n                             Engine\n                              Number of Reports       3                                             3                                 4                                  7                               4                               6\n                          Source: TIGTA audit reports.\n\n                          We also analyzed the status of IRS management\xe2\x80\x99s corrective\n                          actions on the recommendations included in the 11 audit\n                          reports. Details about the corrective action status analysis\n                          are included in Table 2.\n\n                                                                                                                                                                                                                  Page 6\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                    Table 2: Status of Management\xe2\x80\x99s Corrective Actions\n                                      Status (as of\n\n\n\n\n                                                                                                      Open With Extended\n\n\n\n\n                                                                                                                                                Extended Due Date\n                                                                                                                           Closed by Original\n                                                                                  Open and Original\n                                                             Corrective Actions\n                                      September 4, 2004)\n\n\n\n\n                                                                                    Date Not Due\n\n\n\n\n                                                                                                                                                   Closed With\n                                                                Number of\n\n\n\n\n                                                                                                           Due Date\n\n\n                                                                                                                               Due Date\n                         Audit Reports\n                         (Appendix IV lists\n                         the audit report titles)\n                         1.  The Business Continuity\n                                                                    4                                                             4\n                             Program\n                         2. Protecting Critical Assets               2                 1                                          1\n                         3. The Consolidated Midrange\n                                                                    9                                      2                      3                  4\n                             Computer Systems\n                         4. Software Products to Manage\n                             and Control Computer                   1                                                             1\n                             Resources\n                         5. The Integrated Financial\n                                                                    1                    1\n                             System\n                         6. The Master File                         7                    5                 1                      1\n                         7. The Custodial Accounting\n                                                                    1                    1\n                             Project\n                         8. Data Communications                     8                    5                                        3\n                         9. The Mainframe Computer\n                                                                11                  11\n                             Systems\n                         10. The Integrated Financial\n                                                                    0\n                             System\n                         11. The Customer Account Data\n                             Engine\n                              Number of Corrective Actions  44      24       3     13      4\n                          Source: TIGTA audit reports and Department of the Treasury Joint\n                          Audit Management Enterprise System Audit Summary reports.\n\n                          The scheduled completion dates for 27 open corrective\n                          actions ranged from September 2004 to January 2007.\n                          Management had not responded to a draft report (Audit\n                          Report number 11) or provided completion dates for\n                          corrective actions to two recommendations as of the date of\n                          our analysis. Therefore, the corrective actions will not\n                          immediately alleviate the disaster recovery risks.\n                          Shrinking budgets have limited management\xe2\x80\x99s efforts to\n                          correct disaster recovery problems\n                          We determined insufficient resources was one of the causes\n                          for recurring disaster recovery problems. The IRS\n                                                                                                                                          Page 7\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          Information Systems (IS) and Business Systems\n                          Modernization (BSM) budgets9 have decreased over the last\n                          several years. In FY 2003, the IS and BSM budgets\n                          provided 7,466 Full-Time Equivalents (FTE)10 and\n                          $1.971 billion. However, the President\xe2\x80\x99s FY 2005 IS and\n                          BSM budget requests would provide 7,385 FTEs\n                          (1.1 percent reduction) and $1.958 billion (0.7 percent\n                          reduction, including a 24.4 percent reduction in the BSM\n                          budget).\n                          Since October 2001, MITS organization management has\n                          worked to provide resources to improve disaster recovery\n                          capabilities, with limited results. After the terrorist attacks\n                          on September 11, 2001, IRS management considered MITS\n                          organization requests for $87.6 million for disaster recovery\n                          improvements, and the Congress approved $13.5 million for\n                          the Master File disaster recovery capability. In the review\n                          and approval process, requests for $74.1 million were turned\n                          down, including:\n                              \xe2\x80\xa2   Designing and defining the architecture for the\n                                  Competency-Based Organization (CBO) and\n                                  enterprise command centers. MITS organization\n                                  management cited these two areas as corrective\n                                  action for a Master File Disaster Recovery TIGTA\n                                  audit recommendation (see Appendix IV, Audit\n                                  Report number 6) and is using operations funds to\n                                  implement the CBO.\n                              \xe2\x80\xa2   Upgrading the Enterprise Computing Center (ECC)\n                                  mainframe computer disaster recovery capability.\n                                  Insufficient ECC processing capacity was a finding\n                                  in the Mainframe Computer Disaster Recovery\n                                  TIGTA audit report (see Appendix IV, Audit Report\n                                  number 9).\n\n\n\n\n                          9\n                            The IS appropriation includes all of the automated data processing and\n                          telecommunications resources, including labor, hardware and software\n                          purchases, and other operations expenses.\n                          10\n                             A measure of labor hours in which 1 FTE is equal to 8 hours\n                          multiplied by the number of compensable days in a particular fiscal\n                          year. For FY 2004, 1 FTE was equal to 2,096 staff hours. For FY 2005,\n                          1 FTE is equal to 2,088 hours.\n                                                                                          Page 8\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          For FY 2005, Enterprise Operations office management\n                          requested $16.7 million for ECC mainframe computer\n                          improvements (e.g., Unisys mainframe computer upgrades,\n                          Virtual Tape System11 development) that would ensure\n                          disaster recovery capabilities. Management categorized the\n                          upgrades and improvements as unfunded critical needs, but\n                          MITS organization budget cuts have prevented management\n                          from reallocating funds to these items. Without the\n                          mainframe computer upgrades and improvements,\n                          management estimated that, by FY 2006, the ECC could not\n                          recover the systems that operate on the Unisys mainframe\n                          computers if a disaster occurs.\n                          In addition, the Modernization Disaster Recovery Project\n                          has not developed and implemented a midrange computer\n                          system disaster recovery infrastructure although the\n                          Modernized e-File (MeF) system12 is in production and\n                          additional midrange computer systems, such as the\n                          Integrated Financial System13 and Custodial Accounting\n                          Project,14 are scheduled to enter production in FY 2005.\n                          The Modernization Disaster Recovery Project did not\n                          implement the MeF system disaster recovery capability in\n                          FY 2004 because only $3.3 million of the $9.9 million in\n                          the budget was provided to develop the architecture. The\n                          funds provided did not cover the Project\xe2\x80\x99s priorities. As a\n                          result, work stopped on the midrange computer disaster\n                          recovery infrastructure. As of September 2004, the\n                          remaining funds had not been provided and the\n                          infrastructure will be delayed.\n                          Finally, MITS organization management advised us\n                          personnel trained and responsible for disaster recovery\n                          support duties (e.g., preparing and maintaining plans, test\n\n\n                          11\n                             A virtual tape system combines high-speed disk, high-capacity tape,\n                          and storage management software to allow quick access to tape volumes\n                          located physically on disk but appearing to the computer as conventional\n                          tape.\n                          12\n                             Develops the modernized web-based platform for filing IRS forms\n                          electronically.\n                          13\n                             Provides the IRS better financial budgeting, planning, tracking,\n                          reporting, and management.\n                          14\n                             Uses a data warehousing approach to provide the IRS detailed\n                          taxpayer account information to be used for analysis and financial\n                          reporting.\n                                                                                          Page 9\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          schedules, etc.) were reassigned to the MA organization in\n                          the October 2003 MA organization realignment. However,\n                          the MITS organization continues to be responsible for\n                          completing the disaster recovery duties. MITS organization\n                          management also advised us senior MITS and MA\n                          organization managers are working on this issue but, as of\n                          August 2004, had not resolved how best to transfer the\n                          personnel resources or work.\n                          Insufficient management oversight has hampered the\n                          identification and resolution of program weaknesses\n                          We determined insufficient management oversight was also\n                          a cause for recurring disaster recovery problems.\n                          MA organization management advised us the FISMA\n                          requirements are the focus of their security program\n                          oversight efforts. Draft FISMA procedures (issued in\n                          August 2004) state TIGTA audit findings will be listed as\n                          system weaknesses on the FISMA Plans of Action and\n                          Milestones (POA&M). The guidelines suggest management\n                          analyze system weaknesses to identify systemic problems\n                          and elevate them to the POA&M program weakness level.\n                          The POA&M status for each system and program weakness\n                          is reported quarterly to the OMB. However, the TIGTA\xe2\x80\x99s\n                          FY 2004 FISMA report to the Department of the Treasury15\n                          stated the IRS POA&Ms do not contain details sufficient to\n                          permit oversight and tracking of security weaknesses. As a\n                          result, the current POA&M system weaknesses do not\n                          individually identify the TIGTA audit findings and,\n                          therefore, could not be analyzed for systemic problems\n                          (i.e., recurring issues that might indicate a systemic\n                          problem) that should be elevated to the program weakness\n                          level. The IRS continues to have significant disaster\n                          recovery program issues because it has not effectively\n                          implemented management controls, such as FISMA\n                          POA&M procedures.\n                          The IRS Commissioner\xe2\x80\x99s service and enforcement priorities\n                          are heavily dependent on the information systems that\n                          support the critical business processes. However,\n\n                          15\n                            Treasury Inspector General for Tax Administration Federal\n                          Information Security Management Act Report Fiscal Year 2004, dated\n                          September 10, 2004.\n                                                                                     Page 10\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          insufficient resources to implement and operate disaster\n                          recovery capabilities, and insufficient management\n                          oversight to ensure disaster recovery policies and standards\n                          are followed, increase the risk the critical systems\n                          supporting the Commissioner\xe2\x80\x99s service and enforcement\n                          priorities cannot be timely recovered if a disaster occurs.\n\n                          Recommendations\n\n                          To ensure the Commissioner\xe2\x80\x99s service and enforcement\n                          priorities can be met, the CIO should:\n                          1. Report a disaster recovery program material weakness to\n                             the Department of the Treasury as part of the IRS\xe2\x80\x99\n                             FMFIA annual evaluation of controls and include the\n                             following activities (new and currently underway) in the\n                             corrective action plan:\n                             \xe2\x80\xa2   Obtaining MITS and MA organization and business\n                                 unit executive support for the establishment of BRS\n                                 and DRS effort due dates and the monitoring and\n                                 reporting of the progress and status of the efforts.\n                             \xe2\x80\xa2   Completing the BRS and DRS efforts and\n                                 identifying the MITS organization disaster recovery\n                                 requirements (including Modernization\n                                 requirements).\n                             \xe2\x80\xa2   Conducting a gap analysis to identify the difference\n                                 between the MITS organization disaster recovery\n                                 requirements and current capabilities.\n                             \xe2\x80\xa2   Coordinating with IRS, Department of the Treasury,\n                                 and OMB management to obtain the resources\n                                 needed to correct the material weakness.\n                          Management\xe2\x80\x99s Response: IRS management will declare the\n                          disaster recovery program a material weakness. IRS\n                          management responded the IRS could recover all vital data\n                          for the most mission critical information technology\n                          systems, including the Master File and the Customer\n\n\n\n\n                                                                               Page 11\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                          Account Data Engine (CADE).16 They are committed to\n                          increasing their disaster recovery capabilities based on\n                          available funding and an evaluation of cost and risk factors.\n                          The MA organization is responsible for coordinating the\n                          development of an IRS-wide business resumption strategy.\n                          The MITS organization has identified its current disaster\n                          recovery and business resumption strategies, including both\n                          data recovery point and recovery time objectives, for all\n                          major systems. A listing of the crucial business processes\n                          required to continue fulfilling IRS tax administration\n                          responsibilities has been identified and prioritized. Further\n                          analysis of this prioritization will include mapping the\n                          critical business processes to the specific computing system\n                          major applications and general supporting systems that\n                          directly support those IRS critical business processes, along\n                          with conducting a gap analysis to identify inadequate\n                          disaster recovery capabilities. In addition, IRS management\n                          will coordinate with the Department of the Treasury and the\n                          OMB to request the funding needed to support the business\n                          resumption and disaster recovery requirements.\n                          2. Work with the Chief, MA, to implement FISMA\n                             POA&M procedures to analyze system weaknesses for\n                             systemic problems and elevate them as program-level\n                             weaknesses.\n                          Management\xe2\x80\x99s Response: IRS senior leadership established\n                          an executive working group to identify roles and\n                          responsibilities and to provide the leadership and guidance\n                          needed to implement FISMA POA&M procedures.\n\n\n\n\n                          16\n                            The CADE is the foundation for managing taxpayer accounts in the\n                          IRS modernization plan. The CADE will consist of databases and\n                          related applications to replace the IRS\xe2\x80\x99 existing Master File processing\n                          systems.\n\n\n\n\n                                                                                          Page 12\n\x0c       The Disaster Recovery Program Has Improved, but It Should Be Reported As\n         a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                                                                       Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe objective of this review was to provide an overall assessment of the Internal Revenue\nService\xe2\x80\x99s (IRS) disaster recovery program. To accomplish this objective, we:\nI.     Reviewed guidance documents and interviewed Modernization and Information\n       Technology Services (MITS) and Mission Assurance (MA) organization management\n       officials to determine whether policies and procedures clearly defined the responsibilities\n       for ensuring the disaster recovery program is effective.\n       A.     Reviewed Office of Management and Budget, Department of the Treasury, and\n              IRS policies and procedures documents and prior Treasury Inspector General for\n              Tax Administration (TIGTA) audits to document IRS management\xe2\x80\x99s disaster\n              recovery program management and oversight roles and responsibilities.\n       B.     Interviewed MITS and MA organization managers about their disaster recovery\n              oversight roles and responsibilities and determined whether the roles and\n              responsibilities were clearly defined and effectively performed.\nII.    Reviewed 11 previously issued TIGTA audit reports on the IRS\xe2\x80\x99 disaster recovery\n       program activities after the terrorist attacks on September 11, 2001, and the status of\n       management\xe2\x80\x99s corrective actions to identify trends in the findings and recommendations.\n       A.     Reviewed 11 TIGTA audit reports and the Joint Audit Management Enterprise\n              System Corrective Action Form status reports for 44 recommendations as of\n              September 4, 2004, to identify trends.\n              1. For the audits listed in Appendix IV, prepared a schedule containing the\n                 findings, recommendations, management responses and original due dates,\n                 and status of the corrective actions, including revised due dates and status\n                 descriptions.\n              2. Evaluated the schedule prepared in Step II.A.1. to identify trends.\n       B.     Reviewed the trends identified in Step II.A.2. to determine whether corrective\n              actions implemented on earlier recommendations were not effective and had an\n              impact on later findings.\nIII.   Determined the higher-level cause(s) for identified trends.\n       A.     Interviewed MITS and MA organization managers to obtain their explanations for\n              the trends and determined whether other factors resulted in the corrective actions\n              not being effective or implemented.\n\n\n                                                                                            Page 13\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\nB.    Reviewed documentation supporting the managers\xe2\x80\x99 explanations of other factors\n      that resulted in the corrective actions not being effective or implemented and\n      determined the causes of these factors.\n\n\n\n\n                                                                              Page 14\n\x0c       The Disaster Recovery Program Has Improved, but It Should Be Reported As\n         a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary Hinkle, Director\nDanny Verneuille, Audit Manager\nFrank Greene, Lead Auditor\nMichael Garcia, Senior Auditor\nKim McManis, Auditor\n\n\n\n\n                                                                                         Page 15\n\x0c      The Disaster Recovery Program Has Improved, but It Should Be Reported As\n        a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                                                             Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nActing Director, Assurance Programs OS:MA:AP\nDirector, Operational Assurance OS:MA:O\nDirector, Stakeholder Management OS:CIO:SM\nDirector, Enterprise Operations OS:CIO:I:EO\nDirector, Detroit Computing Center OS:CIO:I:EO:DC\nDirector, Enterprise Computing Center OS:CIO:I:EO:MC\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n    Chief, Mission Assurance OS:MA\n    Associate Chief Information Officer, Information Technology Services OS:CIO:I\n    Director, Enterprise Operations OS:CIO:I:EO\n    Manager, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                                    Page 16\n\x0c       The Disaster Recovery Program Has Improved, but It Should Be Reported As\n         a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                                                               Appendix IV\n\n\n                      Previously Issued Audit Reports Reviewed\n\nThe 11 Treasury Inspector General for Tax Administration Audit Reports reviewed for the\noverall assessment of the disaster recovery program are:\n1.   The Internal Revenue Service Has Made Substantial Progress in Its Business Continuity\n     Program, but Continued Efforts Are Needed (Reference Number 2003-20-026, dated\n     December 2002).\n2.   Progress Has Been Made in Protecting Critical Assets (Reference Number 2003-20-047,\n     dated February 2003).\n3.   Improvements Are Needed to Effectively Implement the Disaster Recovery Strategy for\n     Consolidated Mid-Range Computer Systems (Reference Number 2003-20-084, dated\n     April 2003).\n4.   The Implementation of Software Products to Manage and Control Computer Resources\n     Needs Improvement (Reference Number 2003-20-151, dated July 2003).\n5.   Risks Are Mounting as the Integrated Financial System Project Team Strives to Meet an\n     Aggressive Implementation Date (Reference Number 2004-20-001, dated October 2003).\n6.   The Master File Disaster Recovery Exercise Was Completed, but Significant\n     Vulnerabilities Should Be Addressed (Reference Number 2004-20-053, dated March 2004).\n7.   The Custodial Accounting Project Team Is Making Progress; However, Further Actions\n     Should Be Taken to Increase the Likelihood of a Successful Implementation (Reference\n     Number 2004-20-061, dated March 2004).\n8.   Additional Disaster Recovery Planning, Testing, and Training Are Needed for Data\n     Communications (Reference Number 2004-20-079, dated April 2004).\n9.   Mainframe Computer Disaster Recovery Risks Are Increased Due to Insufficient Computer\n     Capacity and Testing (Reference Number 2004-20-142, dated August 2004).\n10. The Integrated Financial System Project Team Needs to Resolve Transition Planning and\n    Testing Issues to Increase the Chances of a Successful Deployment (Reference\n    Number 2004-20-147, dated August 2004).\n11. To Ensure the Customer Account Data Engine\xe2\x80\x99s Success, Prescribed Management\n    Practices Need to Be Followed (Reference Number 2005-20-005, dated November 2004).\n\n\n\n\n                                                                                        Page 17\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n                                                                 Appendix V\n\n\n            Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                       Page 18\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                                       Page 19\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                                       Page 20\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                                       Page 21\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                                       Page 22\n\x0cThe Disaster Recovery Program Has Improved, but It Should Be Reported As\n  a Material Weakness Due to Limited Resources and Control Weaknesses\n\n\n\n\n                                                                       Page 23\n\x0c'